From PC World: Google ignored Microsoft’s calls for flexible vulnerability disclosure deadlines and released details of another unpatched Windows flaw, leaving users exposed for at least the next 25 days.
The new vulnerability, which was confirmed on Windows 7 and 8.1, might constitute a security feature bypass for the way applications can encrypt their memory so that data can be exchanged between processes running under the same logon session.
“The issue is the implementation in CNG.sys doesn’t check the impersonation level of the token when capturing the logon session id (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session,” the Google Project Zero researchers said in a description of the flaw. “This might be an issue if there’s a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section.”
According to Project Zero, Microsoft was notified of the vulnerability on Oct. 17 and initially planned to fix it during its January Patch Tuesday, three days ago. However, the fix had to be postponed because of compatibility issues.
The Google researchers were unmoved by this and stuck to their 90-day public disclosure deadline, publishing details of the flaw and a proof-of-concept exploit Thursday.
View: Article @ Source Site
